6 Copyright # 2006 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) , fax (978) , or on the web at Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) , fax (201) , or online at Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) , outside the United States at (317) or fax (317) Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at Library of Congress Cataloging-in-Publication Data: Lewis, T. G. (Theodore Gyle), 1941 Critical infrastructure protection in homeland security: defending a networked nation/ted G. Lewis. p. cm. Published simultaneously in Canada. ISBN-13: ISBN-10: Computer networks Security measures United States. 2. Computer security United States Planning. 3. Terrorism United States Prevention. 4. Terrorism Government policy United States. 5. Civil defense United States. I. Title. QA A25L dc22 Printed in the United States of America

9 &PREFACE This book explains why the various infrastructure sectors have evolved into today s critical infrastructures and then proposes several quantitative procedures for evaluating their vulnerability and establishing optimal policies for reducing these vulnerabilities. It is the first scientific study of the new field called critical infrastructure protection. By scientific I mean that I have tried to explain why infrastructure sectors as diverse as water supply systems and the Internet have surprisingly similar structures. Even more important, I propose a rigorous approach for studying these sectors that I believe is general enough to analyze fundamental sectors such as water, power, energy, telecommunications, and the Internet. The reader will learn how to apply quantitative vulnerability analysis to a variety of infrastructure sectors and then be able to decide the best way to allocate limited funding in such as way as to minimize overall risk. As far as I know, this is the first time anyone has tried to formalize and quantify the field of critical infrastructure protection. I have attempted to establish the foundations of a new discipline made necessary by the al-qaeda attacks on the United States on September 11, 2001 (9/11). Before 9/11, the security of infrastructure was taken for granted. It was unthinkable for anyone to purposely destroy power plants, cut off water supplies, disable voice and data communications, deny access to information-processing computers, and render the Internet useless. Consequently, these systems were optimized for profit, efficient operation, and low cost. Security was sacrificed for economy. This public policy in operation for more than a century has left nearly all infrastructure systems vulnerable to manmade destruction. The question addressed by this book is, what should be protected, and how? This question is nontrivial because of the enormous size and complexity of infrastructure in the United States. The solution is made even more challenging by the entangled regulatory and system interdependencies of the various infrastructure sectors. The answer is to allocate the nation s scarce resources to the most critical components of each infrastructure the so-called critical nodes. In short, the best way to protect infrastructure is to identify and protect (harden) the critical nodes of each sector. But what parts of these vast structures are critical? This question is key. I claim that the optimal policy for critical infrastructure protection is to identify and protect a handful of critical assets throughout the United States. For example, perhaps less than 100 essential servers maintain the World Wide Web. There are perhaps fewer than a dozen critical nodes in the nation s energy supply chain, and vii

10 viii PREFACE maybe as few as 1000 key links in the major power grids that all other sectors depend on so heavily. Chapter 1 surveys the national strategy and recommends five principles as guides for how to approach the protection of infrastructures. Although critical infrastructure protection is a massive problem, it turns out that a handful of principles can be applied to solve this problem, or at least to start the journey that will lead to a solution. Chapter 1 also analyzes the national strategy and points out several gaps between the ideal approach and the reality. In Chapter 2, I briefly review the history of infrastructure protection from the 1962 Cuban Missile Crisis to the formation of the U.S. Department of Homeland Security in This historical account of how the United States became aware of, and concerned for, infrastructures sets the stage for subsequent chapters. However, it does not offer any solutions to organizational and structural problems that plague government. I leave this challenge to another author. Chapter 3 surveys some challenges to protecting the nation s infrastructures and key assets. This necessity is preliminary so that the reader can put the challenges into perspective and understand why I have narrowed the study of infrastructures down to a much smaller subset than actually exists. I have attempted to carve out a small enough territory that it can be adequately covered in a single book. In Chapters 4 6, I establish the theory needed to master critical infrastructure protection as a scientific, formal discipline. I begin by claiming that all infrastructures of interest can be represented as a network of connected components called nodes. These nodes are connected by links. By simply counting the number of links at each node, I can identify the critical nodes. In most cases, there are one or two critical nodes, which reduces the problem of protection by several orders of magnitude. In this way, the concept of an infrastructure as a network is established and used to reduce the complexity of size a challenge we need to surmount because of the vastness of each critical infrastructure. Without network theory, the problem is too large we can never protect every mile of railroad, every power line, and every telephone pole. Only through network analysis can we reduce the problem of critical infrastructure protection to a workable (and solvable) problem! Chapters 5 and 6 describe a method of vulnerability analysis and risk assessment based on network theory and the reliability engineer s fault tree technology. In these two chapters, I present a five-step vulnerability and risk assessment process that uses estimates of the cost and probability of an attack to compute an investment strategy aimed at reducing risk in the most effective way. Chapter 5 is focused on modeling the infrastructure as a fault tree, and Chapter 6 is focused on computing the best way to allocate the risk reduction budget. The first step in the process described in Chapters 5 and 6 is to model the infrastructure as a network, find the critical nodes of this network, and then represent the structure of the critical node as a fault tree. The fault tree is converted into an event tree that enumerates all possible vulnerabilities and combinations of vulnerabilities. The fault and event trees identify the single- and multiple-combination events as well as the most-probable events that may occur because of threats.

11 PREFACE ix Chapter 6 describes a variety of risk assessment algorithms. The idea is to allocate limited resources (money) in an optimal fashion such that overall risk is minimized. But how is vulnerability and risk defined? And what is the objective of resource allocation? Is it to reduce risk, eliminate all vulnerabilities, or simply prevent the worst thing from happening? As it turns out, we must decide which strategy is best, from among several competing strategies. This method of assessment called model-based vulnerability analysis (MBVA) for obvious reasons is based on sound principles of logic, probability, and cost minimization. MBVA provides the policy maker with a scientific answer to the questions, what is worthwhile protecting, and by how much? MBVA is the only known method of vulnerability analysis and risk assessment that combines asset identification with quantitative analysis to reach a policy decision. It tells the decision maker how much money to spend on protecting the most critical components of the infrastructure. Chapters 7 14 simply apply the MBVA technique to level 1 infrastructures: water, power and energy, information (telecommunications, Internet, Web, and cyber-security), and the monitoring and management networks that control them (SCADA). Power and energy are treated separately because of their size and complexity. The information sector is discussed in several chapters because it is a large and important topic. Unfortunately, the remaining eight major sectors defined by the national strategy are not covered in this volume because of their shear size and complexity. There are several companions to this book: a website at a CD containing audio and video lectures and articles, and the software described in this book. Both of these companions contribute more depth to the subject. The electronic media (Web and disk) contain executable programs for demonstrating concepts and reducing the mathematical labor during vulnerability analysis. Program FTplus.html",4>FTplus.html (FT.jar",4>FT.jar on the desktop), for example, performs the optimal resource allocation calculations described in Chapter 6. The RSA program calculates a public key and encrypts text automatically, thus providing the reader with hands-on tools for studying encryption. Other programs perform simulations, such as POWERGRAPH, which shows how a scale-free network emerges from a random network the basis for today s critical infrastructure architectures. A program called TERMITES reinforces one of the most important concepts of this book: how and why critical nodes are formed. TER- MITES illustrates clustering the concentration of assets around one or more critical nodes, which then become the most vulnerable components of all. A novel program called NetworkAnalysis.html (a.k.a. NA.jar on the desktop) uses complex adaptive system algorithms to allocate resources to networks that tend to fail by cascading, such as the power grid. This program computes the best way to protect an infrastructure by allocating resources optimally to critical components of the infrastructure. FTplus.html and NetworkAnalysis.html run from within any standard browser whether on a Microsoft Windows or Apple Macintosh computer. NA.jar and FT.jar run as stand-alone desktop applications and allow you to save your work

12 x PREFACE as a local file. The source code is available as well, so you can modify it and do your own research. In addition, the website and disk contain several audio tracks of the materials covered in the book. The audio tracks may be downloaded into a computer and then into an MP-3 player for mobile learning. For example, the 2003 National Strategy for the Protection of Critical Infrastructure and Key Assets is available as a collection of several audio tracks. For history and political science students, the foundational presidential directives (PDD-39, PDD-63, and HSPD-7) have been similarly transcribed into an audio book and are available online and on the disk. This book is one component of blended learning the combination of text, audio/video disk, and Web page. Specifically, several electronic lectures have been produced for online and CD viewing. All you need is a browser and either access to or a copy of the companion CD. The audio/ video streaming lectures are tuned to this book, the website, and other content, such as the software for simulating various sectors and demonstrating vital concepts. In this way, the self-taught learner or classroom instructor can elect to learn by reading, listening, looking, or through participation in a traditional classroom setting. I began developing the ideas for this book in the fall of 2002 and published a draft textbook in The material was class-tested in 2004, revised, and republished in This book, the website, and the associated electronic media have been used extensively to teach a course labeled, CS 3660 Critical Infrastructure: Vulnerability and Analysis one of a dozen courses given to military and civilian students enrolled in the Master of Arts in Security Studies, Homeland Defense, and Security curriculum at the Naval Postgraduate School, Monterey, CA. It is appropriate for upper division undergraduate and first-year graduate students majoring in national security, computing, and policy subjects where both policy and technical decisions are analyzed. Although it has been thoroughly class tested, it is still now without flaws. I take responsibility for any errors, inconsistencies, and exaggerations that may still exist in this edition. I would like to thank my students for their insights, feedback, and contributions to this work. They have taught me well! Additionally, I would like to thank Steve McNally of Bellevue University, Hilda Blanco, University of Washington, and her students, for giving feedback on early drafts of this book. Joe Weiss was invaluable as a careful reader and critic of the SCADA chapter. Rudy Darken made many important contributions to the ideas and delivery methods used over 2 years of class testing. TED G. LEWIS December 2005

13 &ABOUT THE AUTHOR Ted G. Lewis has a distinguished 35-year career as a computer scientist, author, businessman, and scholar. His undergraduate degree is in Mathematics from Oregon State University (1966), and his graduate degrees were awarded in 1970 (M.S. Computer Science) and 1971 (Ph.D. Computer Science) from Washington State University. Since 1971 he has participated in several significant firsts : In the late 1970s, he wrote the first personal computer book (How to Profit From Your Personal Computer); in 2002, he co-created, with Paul Stockton, the first graduate degree program in Homeland Security. In between, Lewis helped create the first Internet Car while serving as President and CEO of DaimlerChrysler Research and Technology, North America. During his technical career, he invented several important algorithms in software engineering (horizontal vertical algorithm for deadlock detection); parallel processing (static scheduling of parallel programs on arbitrary architectures); and the model-based vulnerability analysis method of critical infrastructure risk assessment. And now he has written the first textbook to establish the study of critical infrastructure protection as a formal, scientific discipline. He has over 100 publications, including over 30 books. In , his books, Friction-Free Economy and Microsoft Rising documented the technical and economic forces that shaped the Internet Bubble, and in March 2000, he predicted its precipitous fall (IEEE Computer Magazine, March 2000). He is perhaps best known to the members of the IEEE Computer Society for a series of provocative articles appearing in the Binary Critic column of IEEE Computer from 1995 to His management experience began in 1988 as Technical Director of the Oregon Advanced Computing Institute. During , he was chairman of the Computer Science Department at the Naval Postgraduate School, and during , he was CEO of DaimlerChrysler Research and Technology NA in Palo Alto, CA. From 2001 to 2002, he was Senior Vice President of Digital Development for the Eastman Kodak Company. Currently, he is professor of Computer Science and Academic Associate of the Homeland Defense and Security curriculum at the Naval Postgraduate School. With the much-awaited publication of Critical Infrastructure Protection in Homeland Security, Professor Ted Lewis has provided Homeland Security specialists, law enforcement personnel, emergency managers, critical infrastructure experts and those whose day-to-day duties involve infrastructure security and protection with a timely, relevant and invaluable resource for defending the very essence of the American homeland. Lucidly written, perceptively analyzed and exhaustively xi

14 xii ABOUT THE AUTHOR researched, Critical Infrastructure Protection in Homeland Security is a work that reflects the concerns of our time while providing a viable blueprint for protecting our shared technological heritage. For those interested in critical infrastructure protection, Homeland Security and national defense, there is no better one-stop resource than this book. Read it, and you ll never be in the dark again when it comes to critical infrastructure protection. David Longshore, New York City Homeland Security Liaison Professor Lewis s definitive textbook on critical infrastructure protection is a fascinating study of one of the challenges facing the nation in combating terrorism. In clear and concise language he establishes the foundation for his theory that critical infrastructure sectors are networks of critical nodes and links. Through network analysis, he identifies the most critical components of water systems, telecommunication systems, power grids, energy supply chains, and cyber systems such as the Internet and the World Wide Web. This is a must-read for anyone who wants to understand how to protect the nation s most-valuable physical assets. Richard Elster, Provost, Naval Postgraduate School

15 &CHAPTER 1 Strategy What is the motivation for studying critical infrastructure protection? What are the central issues that need to be addressed to create a meaningful strategy for dealing with threats against infrastructure? Moreover, what is the national strategy? This chapter introduces the reader to the national strategy for the protection of critical infrastructure; identifies the roles and responsibilities of the federal, state, and local governments; lays out the approach being taken by the Department of Defense (DOD), and the newly created Department of Homeland Security (DHS), and then postulates five strategic principles of critical infrastructure. This chapter makes the following claims and arguments: 1. Protection of critical infrastructure such as water, power, energy, and telecommunications is vital because of the impact such destruction would have on casualties, the economy, the psychology, and the pride of the nation. 2. Homeland defense and homeland security differ: The DOD is responsible for defense; and federal, state, and local governments are responsible for security. This division of responsibility defines roles and responsibilities of each, but their intersection say along the borders and coastline remains blurred at this time. 3. Federalism dictates a division of labor across federal, state, and local jurisdictions. The DHS is responsible for cross-sector roles such as standardization, research, and education. Delegation of major responsibility for critical infrastructure protection to state and local government is suboptimal, because nearly all critical infrastructure spans counties, states, and regions of the country. 4. When it comes to critical infrastructure protection, we will learn that it takes a network to fight a network. The United States and its collaborating cities, states, and regional partners are organized as a hierarchical bureaucracy. In other words, the nation is not network-centric. On the other hand, the organizational architecture of terrorist organizations is a network, which means they can flex and react quickly much more quickly than hierarchical Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation, edited by Ted G. Lewis Copyright # 2006 John Wiley & Sons, Inc. 1

16 2 STRATEGY organizations. By understanding network architectures in general, we will be able to apply network theory to both organizational and physical structures. 5. Network-structured critical infrastructure sectors can be protected most effectively by identifying and securing the hubs, not the spokes of each infrastructure sector, Hence, the best strategy for infrastructure protection will be based on identification and protection of these hubs. It is called critical node analysis, because hubs will be shown to be the critical nodes The optimal strategy for critical infrastructure protection will follow the familiar 80 20% rule: 80% of our resources should be spent on 20% of the country. Although this national strategy is most effective for preventing attacks on infrastructure, it may not be politically feasible, because it does not distribute funding everywhere only where it can be used in the most effective manner. 7. In addition to an uneven distribution of funding to prevent failures in critical infrastructure, we must learn to think dual-purpose. Most critical infrastructure is in the hands of corporations whose first responsibility is to shareholders, and not to homeland security. Therefore, one way to coax the necessary investment from profit-making private sector corporations is to couple investments in security with productivity and efficiency enhancements. 8. Critical infrastructure is too vast and complex to protect it all. The attacker has the luxury of attacking anytime, anywhere, using any weapon. As defenders we have the duty to protect everything, all the time, with infinite funding. Assuming we have less-than-infinite resources, our only alternative is to think asymmetric. Asymmetric thinking means thinking of new ways to protect our vast and complex infrastructure from attack. It means we must be clever. 9. Perhaps the biggest claim made by the author in this chapter is that critical infrastructure responsibility has to reside at the federal level because intelligence gathering and analysis is controlled by federal organizations, most infrastructure is controlled by interstate commerce laws at the federal level and therefore not local, and local communities are ill-prepared to wage war on global terrorism. DEFINING CRITICAL INFRASTRUCTURE The phrase, critical infrastructure protection, did not appear in print until 1997, but the concept of infrastructure security has been evolving ever since the 1962 Cuban Missile Crisis, when President Kennedy and Premier Khrushchev had difficulty communicating with one another because of inadequate telecommunication technology. Therefore, telecommunications is the first sector to be considered critical. But it would take decades for the United States to become aware of the importance of other sectors an evolution described in more detail in Chapter 2. 1 Critical nodes will be synonymous with hubs, in this book.

17 DEFINING CRITICAL INFRASTRUCTURE 3 The Marsh Report (1997) and the subsequent executive order EO (1998) provided the first definition of infrastructure as a network of independent, mostly privately-owned, man-made systems that function collaboratively and synergistically to produce and distribute a continuous flow of essential goods and services. A critical infrastructure is, an infrastructure so vital that its incapacity or destruction would have a debilitating impact on our defense and national security. 2 Critical infrastructure could also have become known as vital infrastructure, according to this early definition. An infrastructure is considered critical because it is vital to national security, but the Marsh Report does not provide a concise definition of the term vital. Indeed, one primary challenge of critical infrastructure will be the determination of which assets should be protected and which ones should not. It is primarily an issue of resource allocation, or the process of committing dollars, people, equipment, and legal assets to the prevention of attacks on various sectors. Resource allocation goes beyond target hardening and encompasses the formulation of a strategy to protect vital assets. Today s definition of critical infrastructure includes 11 sectors and 5 key assets. This definition has grown out of an earlier definition that included only five sectors and is likely to expand even further over the next decade. According to the national strategy, critical infrastructure and key assets encompass the following sectors: 1. Agriculture and food 2. Water 3. Public health 4. Emergency services 5. Defense industrial base 6. Telecommunications 7. Energy 8. Transportation 9. Banking and finance 10. Chemicals and hazardous materials 11. Postal and shipping The key assets are as follows: 1. National monuments and icons (Statue of Liberty) 2. Nuclear power plants 3. Dams 4. Government facilities (offices and governmental departments) 5. Commercial key assets (major skyscrapers) 2 Critical Foundations: Protecting America s Infrastructures, The Report of the President s Commission on Critical Infrastructure Protection, October 1997.

18 4 STRATEGY Critical infrastructure protection is defined as the strategies, policies, and preparedness needed to protect, prevent, and when necessary, respond to attacks on these sectors and key assets. This definition, and how it evolved out of the Cuban Missile Crisis, is explored in greater detail in Chapter 2. THE IMPORTANCE OF STRATEGY The definition of critical infrastructure is evolving, and so is the strategy for protecting the various sectors that make up critical infrastructure. What is the national, state, city, and local level strategy for protection of these vital systems and services? Are the strategies adequate? Do they lead to a safer and more secure infrastructure? Answering these and related questions is the aim of this book. To reach the answer, however, it is necessary to understand the regulatory, technical, and dynamic structure of each sector. This task is daunting because of the enormous size and complexity of each individual sector. Furthermore, we know that each sector is interdependent with others, which complicates the problem even more. It is why we need an overarching strategy. Hence, the first step in the study of critical infrastructure protection is to establish a framework that will set a course for successful policies at the national, state, and local levels. We need to understand what we mean by strategy. Johnson and Scholes 3 define strategy as follows: Strategy is the direction and scope of an organization over the long-term: which achieves advantage for the organization through its configuration of resources within a challenging environment, to meet the needs of markets and to fulfill stakeholder expectations. Although this definition is aimed at business managers, it serves us well because the problems of critical infrastructure protection, like the problems of industry, are organizational, technical, and resource allocation problems. Similarly, strategy is a long-term plan, and we know that the war on terrorism is a long-term war. There will be no quick fixes to the problem of critical infrastructure protection. Additionally, the elements of infrastructure size and complexity exist in a challenging environment the challenge posed by terrorism. Finally, the American public has high expectations for success on the part of federal, state, and local governments in their efforts to protect the most valuable and essential components of modern life our water, power, energy, telecommunications, Internet, and other infrastructure sectors. Any strategy for securing these assets must be perfect; the citizens of the United States will not tolerate near-perfection. Strategy is important because it provides a roadmap for solving complex problems involving organizations, technologies, and resource allocation within a 3 G. Johnson and K. Scholes, Exploring Corporate Strategy: Text and Cases. Englewood Cliffs, NJ: Prentice-Hall, 2001.

19 THE IMPORTANCE OF STRATEGY 5 challenging environment. This description accurately describes the situation with respect to homeland security. But, the question is, what is a winning strategy for the United States? What is the current national strategy, and is it adequate? Actually, there are several strategies in play at this time. First, there is a difference between homeland defense and homeland security. The DOD has responsibility for homeland defense, which the author defines as all defense activities outside of the country, or when called upon and under civilian control, within the country. 4 Nonetheless, the strategy of the DOD is instructive because it provides an example that illustrates the division of roles and responsibilities between civilian and military organizations. It also illustrates one of the most vexing organizational problems in the war on global terrorism that of establishing who is in control and of what they are controlling. DOD Strategy: Layered Defense The homeland defense strategy articulated by the DOD is called a layered defense. The term layered means different approaches are applied to different layers regions of the world, depending on the geopolitical environment. The goal of this strategy is to suppress and deter threats from as far away as possible, first and foremost, and then suppress and deter the threat layer by layer, as the threat approaches our borders. The first layer starts with other countries (Afghanistan and Iraq). The next layer is on the High Seas (Navy), within a 300-mile buffer for commercial shipping, then at the 12-mile zone with the Coast Guard, and finally at the border, with the cooperation of U.S. Customs. If called in by civilian authorities, the DOD s role is to provide assistance within the border through a newly formed Northern Command. Layered defense is a well-known ancient strategy. It was used by Rome to hold the barbarians at bay. The strategy is as effective today as it was then, as long as the threat is the same. Unfortunately, the threat of chemical, biological, radiological, nuclear, and asymmetric explosive attacks is radically different today than 2000 years ago. Asymmetric conflict brings the battle home, inside the borders. Hence, the layered strategy of DOD is only part of the answer. A domestic strategy is needed, because the global war on terrorism is not restricted to the other side of the border. DHS Strategy: Preparedness, Response, and Research The DHS was legally created in 2002 and physically implemented in 2003 to address the problem of security within our borders. The roles and responsibilities of the DHS 4 At the time of this writing, homeland defense was undergoing revision. In an Army document dated April 1999, the term was described as follows: There is currently no definition of homeland defense. The proposed definition shows the Army s mission to protect our territory, population, and critical infrastructure by; deterring/defending against foreign and domestic threats, supporting civil authorities for crisis and consequence management, and helping to ensure the continuance [of] critical national assets.

20 6 STRATEGY are still evolving, but at a minimum, its responsibility is to protect the citizens of the United States through bolstering of:. Intelligence and warning. Border and transportation security. Domestic counter-terrorism. Critical infrastructures and key assets. Defending against catastrophic terrorism. Emergency preparedness and response Indeed, the terrorist attack of September 11, 2001 (9/11) was an attack on banking and finance, using the transportation sector. Therefore, two critical infrastructure sectors have already been attacked or involved in a major attack. The devastation of 9/11 demonstrates that attacks on infrastructure can result in massive casualties, sizeable economic, political, and psychological damage, not to mention damage to the American psyche. These are collectively called attacks on the American Way of Life and because of the potential to disrupt an entire society, critical infrastructure protection must be one pillar of the homeland security strategy. The importance of infrastructure protection has steadily risen over the past 40 years, as described in Chapter 2. The importance of a national strategy for the protection of critical infrastructure and key assets has yet to mature. The components of a national strategy are in the process of evolving starting with the Stafford Act of 1988, which established the Federal Emergency Management Agency (FEMA) for coping with natural disasters; to the Nunn-Lugar-Domenici Act of 1999, which provided for defense against weapons of mass destruction (WMDs); and finally, to the DHS (HSPD-7) declaration by President Bush in late Therefore, by 2004, the outlines of a national strategy were known, but not fully implemented. In the next section, we dissect the national strategy for homeland security as it pertains to the protection of infrastructure. The final section of this chapter will go one step further and describe a set of strategic principles for guiding future policies. HOMELAND SECURITY AND CRITICAL INFRASTRUCTURE What are the roles and responsibilities of the federal government? What are the responsibilities of state and local governments? These questions were addressed (if not fully answered) by the 2003 National Strategy, which is summarized here as follows: 1. Take stock of our most critical facilities, systems, and functions and monitor their preparedness across sectors and governmental jurisdictions. The first step in any vulnerability analysis is to take inventory find out what you have, and how it works. This process was started in 2003 and continues today. State and local governments are required to perform an analysis of critical infrastructure every 3 years. But this requirement is problematic, because at this stage, it is

The Trident University International (Trident) catalog consists of two parts: Policy Handbook and Academic Programs, which reflect current academic policies, procedures, program and degree offerings, course

THE WHITE HOUSE Office of the Press Secretary For Immediate Release February 12, 2013 February 12, 2013 PRESIDENTIAL POLICY DIRECTIVE/PPD-21 SUBJECT: Critical Infrastructure Security and Resilience The

Espionage and Intelligence Debra A. Miller, Book Editor Intelligence... has always been used by the United States to support U.S. military operations, but much of what forms today s intelligence system

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco. 1 Calling All CEOs Are You Ready to Defend the Battlefield of the 21st Century? It is not the norm for corporations to be

THE NATIONAL STRATEGY FOR The Physical Protection of Critical Infrastructures and Key Assets f e b r u a r y 2 0 0 3 THE NATIONAL STRATEGY FOR The Physical Protection of Critical Infrastructures and Key

TEXAS HOMELAND SECURITY STRATEGIC PLAN 2015-2020: PRIORITY ACTIONS INTRODUCTION The purpose of this document is to list the aligned with each in the Texas Homeland Security Strategic Plan 2015-2020 (THSSP).

Preventing and Defending Against Cyber Attacks June 2011 The Department of Homeland Security (DHS) is responsible for helping Federal Executive Branch civilian departments and agencies secure their unclassified

The Comprehensive National Cybersecurity Initiative President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we

APICS INSIGHTS AND INNOVATIONS SUPPLY CHAIN RISK CHALLENGES AND PRACTICES APICS INSIGHTS AND INNOVATIONS ABOUT THIS REPORT This report examines the role that supply chain risk management plays in organizations

Preventing and Defending Against Cyber Attacks November 2010 The Nation s first ever Quadrennial Homeland Security Review (QHSR), delivered to Congress in February 2010, identified safeguarding and securing

ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773 March 17, 2010 BACKGROUND & WHY THIS LEGISLATION IS IMPORTANT: Our nation is at risk. The networks that American families and businesses

Chart Patterns: After the Buy The Wiley Trading series features books by traders who have survived the market s ever changing temperament and have prospered some by reinventing systems, others by getting

Issue Paper Center for Strategic Leadership, U.S. Army War College May 2003 Volume 04-03 Wargaming Homeland Security and Army Reserve Component Issues By Professor Michael Pasquarett Background The President

Assessment Profile: Establishing Curricular Categories for Homeland Security Education During any examination or assessment of the subject, homeland security, it becomes quite evident that by the definition(s)

U.S. Department of Homeland Security in partnership with the National Coordination Office for Space-Based Positioning, Navigation and Timing Critical Infrastructure Security and Resilience International

Actions and Recommendations (A/R) Summary Priority I: A National Cyberspace Security Response System A/R 1-1: DHS will create a single point-ofcontact for the federal government s interaction with industry

Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

TESTIMONY OF ZOË BAIRD, PRESIDENT, MARKLE FOUNDATION CHAIRMAN, TASK FORCE ON NATIONAL SECURITY IN THE INFORMATION AGE Select Committee on Homeland Security U.S. House of Representatives "Information Sharing

Purpose of the Governor s strategy The Governor s initiative to develop and implement a State of Tennessee program to counter terrorism within the State is outlined in this document. The primary purpose

March 2010 Methods for Assessing Vulnerability of Critical Infrastructure Project Leads Eric Solano, PhD, PE, RTI International Statement of Problem Several events in the recent past, including the attacks

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

HUMAN RESOURCES MANAGEMENT FOR PUBLIC AND NONPROFIT ORGANIZATIONS Essential Texts for Public and Nonprofit Leadership and Management The Handbook of Nonprofit Governance, by BoardSource Strategic Planning

El Camino College Homeland Security Spring 2016 Courses With over 250,000 federal positions in Homeland Security and associated divisions, students may find good career opportunities in this field. Explore

U.S. Department of Homeland Security Protective Security Advisor (PSA) North Carolina District Securing the Nation s s critical infrastructures one community at a time Critical Infrastructure & Key Resources

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14

NEBRASKA STATE HOMELAND SECURITY STRATEGY 2014-2016 Nebraska Homeland Security Policy Group/Senior Advisory Council This document provides an overall framework for what the State of Nebraska hopes to achieve

VOLUME 6, NUMBER 1, 2012 The Design of an Undergraduate Program In Homeland Security Jon E. Travis Professor Director, Higher Ed Doctoral Program Director, Center for Community College Education Department

NGA Paper Act and Adjust: A Call to Action for Governors for Cybersecurity challenges facing the nation. Although implementing policies and practices that will make state systems and data more secure will

RISK MANAGEMENT Capability Definition Risk Management is defined by the Government Accountability Office (GAO) as A continuous process of managing through a series of mitigating actions that permeate an

ALLEN COUNTY CODE TITLE 8 PUBLIC SAFETY ARTICLE 8 COUNTY EMERGENCY MANAGEMENT AGENCY (EMA) 8-8-1 Chapter 1: Title This Ordinance shall be known and may be cited and referred to as the Emergency Management

Securing Homeland the Homeland Through Through Information Information Sharing Sharing and Collaboration and Collaboration Department of Homeland Security April 18, 2008 for the Department of Introduction

A Functional Model for Critical Infrastructure Information Sharing and Analysis Maturing and Expanding Efforts ISAC Council White Paper January 31, 2004 1. PURPOSE/OBJECTIVES This paper is an effort to

GAO United States General Accounting Office Testimony Before the Subcommittee on Technology, Terrorism and Government Information, Committee on the Judiciary, U.S. Senate For Release on Delivery Expected

Testimony of John A. McCarthy, Director of the Critical Infrastructure Protection Project, George Mason School of Law Before a joint hearing of the House Subcommittee on Infrastructure Security and The

2016 CFA EXAM REVIEW COVERS ALL TOPICS IN LEVEL I LEVEL I CFA FORMULA SHEETS Copyright 2016 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published

The Cybersecurity Journey How to Begin an Integrated Cybersecurity Program March 2005 Legal and Copyright Notice The Chemical Industry Data Exchange (CIDX) is a nonprofit corporation, incorporated in the

Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber

Statement for the Record by Dr. Donald M. Kerr Director, National Reconnaissance Office, Nominee for the Position of Principal Deputy Director of National Intelligence, before the Senate Select Committee

TESTIMONY OF DANIEL DUFF VICE PRESIDENT - GOVERNMENT AFFAIRS AMERICAN PUBLIC TRANSPORTATION ASSOCIATION BEFORE THE HOUSE COMMITTEE ON GOVERNMENT REFORM ON THE 9/11 COMMISSION RECOMMENDATIONS ******* August

Risk Mapping A Risk Management Tool with Powerful Applications in the New Economy By Todd Williams and Steve Saporito What if your company s major business risks, obstacles to strategic objectives, and

Cyber Security Ultimately Is Military Security Reporter: ZUO Xiaoyu You Ji Professor of Macau University, School of Social Sciences. Research Area: national security. With deepening development of cyber

CBO A series of issue summaries from the Congressional Budget Office JULY 20, 2005 Federal Funding for Homeland Security: An Update The terrorist attacks of September 11, 2001, heightened Congressional

Information & Security: An International Journal Valentyn Petrov, vol.31, 2014, 73-77 http://dx.doi.org/10.11610/isij.3104 ESTABLISHING A NATIONAL CYBERSECURITY SYSTEM IN THE CONTEXT OF NATIONAL SECURITY

The Role of the Emergency Manager: Has It Changed Since 9-11-01? By Michael J. Fagel, Ph.D., CEM For years, many have defined emergency management as the organization that is known by responses to weather

Strategy and Performance Management in the Government A White Paper By James B. Whittaker Retired Rear Admiral, U.S. Navy, and author of President s Management Agenda: A Balanced Scorecard Approach 444

To ensure the functioning of the site, we use cookies. We share information about your activities on the site with our partners and Google partners: social networks and companies engaged in advertising and web analytics. For more information, see the Privacy Policy and Google Privacy &amp Terms.
Your consent to our cookies if you continue to use this website.